Two-Factor Authentication in your Rails App with Devise & Yubikey

Most rails applications have some sort of "user" to represent either customers who are consuming the service or administrators that are publishing content to the web application. It's important that these users are authenticated (ensuring that they are who they say they are). For user authentication in a Ruby on Rails application, Devise is one of the best solutions out there. It has a very active community and wide variety of options and extensions to fit your business model. Sometimes customers may ask for or the application requires an additional layer of authentication beyond the basic username/password combination.

There is one last change to make to the code of the project. The field for the yubikey one-time password is not in the default user session login screen for devise. You will need to generate the devise views and overwrite the new user session page.

5. Add user managment to the application for regulating and associating yubikeys with users

For this application I just created a user and added a yubikey to them through the rails console. To require a user to login with yubikey the boolean use_yubikey needs to be set to true. The other user also needs to have the registeredyubikey field set to their yubikeky. I did this through the console by copying the text output from the yubikey to a clipboard and setting the field in the console. Part of the code that was added to the user model is designed to peel of the first 11 characters of the yubikey one-time password which is its static and unique identifier.

In a real world application there will need to be features built in to managing the yubikey for the user. If the customers/users will be providing their own yubikey they will need to update these settings themselves. However if the yubikeys are distributed to a small group of users, managing these attributes should probably be hidden behind some administration side of the application.

You need to be a member of TechHui to add comments!

Although U2F logins are not yet available to the public, Google has already deployed several hundred thousand YubiKey Neo devices to its employees since the beginning of 2013, according to Yubico CEO, Stina Ehrensvärd. Google’s Product Management Director for Information Security, Sam Srinivas confirmed the scope of the internal pilot program – as well as a 2014 public release – and says that the response to the device has been overwhelmingly positive, with employees remarking on the ease of use.

Yubikey's also vulnerable to realtime phishing attacks. You can simply use SMS authentication (probably easier because most already have phones, and defeats certain attacks that yubikey can't) and get similar results.

There's a serious vulnerability that was released earlier two days ago (https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion) and the certain security group has already automated the exploitation scheme for it.

It sounds like you fall into the first category of application I mentioned. Since it's not feasible to distribute keys to all your users you would have to introduce this as an optional feature. Your customers would have to purchase their own yubikey and you would have to allow them to turn on the useyubikey boolean and set their registeredyubikey to the yubikey they purchased somewhere in your application.

I'm not sure how your business model works but the nice thing about it being an optional feature is that you can use it as an incentive to purchase/subscribe to the next tier. This is what lastpass.com does.

One other cost associated with introducing this is that you do have to build in features or support users changing/losing their keys.